ESM: Set Up Notifications

Document created by RSA Information Design and Development on Jul 27, 2016
Version 1Show Document
  • View in full screen mode

Notifications are sent when thresholds are not met.

Notifications go hand-in-hand with Thresholds. Before you configure notifications, you should set up Thresholds for an event source group.

Note: After configuring the thresholds for an event source group, if you do not set any notifications, then even if an alert is triggered, users are not notified.


Before you set up notifications for an event source group, you should review the available notification items:

  • Notification Servers: These are the servers that you want to receive notifications from the system. For more details, see Notification Servers Overview topic in the System Configuration Guide.
  • Notification Output: The outputs contain the parameters for the notification type. For example, an email notification type contains the email addresses and subject for the notification. For more details, see Notification Outputs Overview topic in the System Configuration Guide.

    In the Define Email Notification dialog box, from the Subject Template Type drop down menu, choose Event Source Monitoring default email subject:


    If you specify this for the subject, an example of the email notification subject would be, SA-ESM Notification | Low threshold triggered on Windows group. In this case, the low threshold for the Windows group triggered the notification.

  • Notification Templates: These are the available templates for each type of notification. For Event Source Management, default templates are supplied for Email (SMTP), SNMP, and Syslog. You can use these templates as supplied, or customize them if necessary. For more details, see Templates Overview topic in the System Configuration Guide.

Large Email Notifications

If you have set up email notifications, keep in mind that the email can grow very large, depending on the number of event sources in the notification.

If the number of event sources in the alarmed state exceeds 10,000, then the email notification contains the details for only the first 10,000 and a total count. This is to ensure that the email is successfully delivered.


High and Low Thresholds Both Triggered

There may be occasions when both the high and low alarms are both triggered for a particular event source group. The easiest way to see when this happens is to read the email header, which clearly states when both thresholds are triggered, as shown in this image:


In this example, the header states, "High threshold and Low threshold triggered on ciscopix group." To see the details for the low threshold event sources, you may need to scroll down past hundreds, or even thousands, of the high threshold event sources.

To add notifications for an event source group:

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. Select the Monitoring Policies tab.
  3. In the Event Groups panel, select a group.

    Note: You should have already set a threshold for the group. If not, see Set and View Thresholds for Alert Policies to set a threshold, and then return to this procedure.

  4. In the Notifications panel, click 104ApplAdd.png, and from the drop-down menu, select the type of notification you want to add:

    • Email
    • SNMP
    • Syslog
  5. Enter values for the Notification, Notification Server, and Template fields.

    1. For Notification, select from the list, or add a suitable notification type in Notifications, and then select it here.
    2. For the Server, select one from the list, or add a suitable server in Notifications, and then select it here.
    3. For Template, select an available template, or create a suitable template in Notifications, and then select it here.

    If you need to add or edit one of these items, click Notification Settings. A new browser window opens on the Administration > System > Notifications page. Use this page to view or update the available Notification items.

  6. Optionally, you can limit the rate of notifications for a policy.

    1. Select Output Suppression to enable setting a limit.
    2. Enter a value, in minutes, for the suppression rate. For example, if you enter 30, notifications for this policy are limited to one notification every 30 minutes.
    3. Click Save.

Here is an example of a monitoring policy that contains a threshold and notification for an event source group.


You are here: Procedures > Monitor Policies > Set Up Notifications